Hi James,
Thanks for your review.
On Tue, Mar 13, 2018 at 10:17:50AM -0700, James Bottomley wrote:
> On Tue, 2018-03-13 at 18:35 +0800, Lee, Chun-Yi wrote:
> > When getting certificates list from UEFI variable, the original error
> > message shows the state number from UEFI firmware. It's hard
On 13 March 2018 at 10:37, Lee, Chun-Yi wrote:
> The mok can not be trusted when the secure boot is disabled. Which
> means that the kernel embedded certificate is the only trusted key.
>
> Due to db/dbx are authenticated variables, they needs manufacturer's
> KEK for
On Tue, 2018-03-13 at 18:38 +0800, Lee, Chun-Yi wrote:
> This patch adds the logic for checking the kernel module's hash
> base on blacklist. The hash must be generated by sha256 and enrolled
> to dbx/mokx.
>
> For example:
> sha256sum sample.ko
> mokutil --mokx --import-hash
On Tue, 2018-03-13 at 18:35 +0800, Lee, Chun-Yi wrote:
> When getting certificates list from UEFI variable, the original error
> message shows the state number from UEFI firmware. It's hard to be
> read by human. This patch changed the error message to show the
> appropriate string.
>
> The
[adding linux-integrity and tpmdd-devel since this was discussed in these ML
too]
On 03/13/2018 03:09 PM, Ard Biesheuvel wrote:
> As reported by Jeremy, running the new TPM libstub code in mixed mode
> (i.e., 64-bit kernel on 32-bit UEFI) results in hangs when invoking
> the TCG2 protocol, or
The following changes since commit 7928b2cbe55b2a410a0f5c1f154610059c57b1b2:
Linux 4.16-rc1 (2018-02-11 15:04:29 -0800)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/efi/efi.git tags/efi-urgent
for you to fetch changes up to
As reported by Jeremy, running the new TPM libstub code in mixed mode
(i.e., 64-bit kernel on 32-bit UEFI) results in hangs when invoking
the TCG2 protocol, or when accessing the log_tbl pool allocation.
The reason turns out to be that in both cases, the 64-bit pointer
variables are not fully
On 13 March 2018 at 13:41, Jeremy Cline wrote:
> On 03/13/2018 03:59 AM, Ard Biesheuvel wrote:
>> On 13 March 2018 at 07:47, Hans de Goede wrote:
>>> Hi,
>>>
>>>
>>> On 12-03-18 20:55, Thiebaud Weksteen wrote:
>> ...
Hans, you said you
On 03/13/2018 03:59 AM, Ard Biesheuvel wrote:
> On 13 March 2018 at 07:47, Hans de Goede wrote:
>> Hi,
>>
>>
>> On 12-03-18 20:55, Thiebaud Weksteen wrote:
>>>
> ...
>>>
>>> Hans, you said you configured the tablet to use the 32-bit version of grub
>>> instead
>>> of 64.
On Tue, Mar 13, 2018 at 9:47 AM, Hans de Goede wrote:
> On 12-03-18 20:55, Thiebaud Weksteen wrote:
>> Hans, you said you configured the tablet to use the 32-bit version of grub
>> instead
>> of 64. Why's that?
> Because this tablet, like (almost?) all Bay Trail hardware
This patch set is base on the efi-lock-down and keys-uefi branchs in
David Howells's linux-fs git tree.
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi
The main purpose is using the MOKx to blacklist kernel module.
As the MOK (Machine Owner Key), MOKx
This patch adds the logic to load the blacklisted hash and
certificates from MOKx which is maintained by shim bootloader.
Cc: David Howells
Cc: Josh Boyer
Cc: James Bottomley
Signed-off-by: "Lee, Chun-Yi"
When getting certificates list from UEFI variable, the original error
message shows the state number from UEFI firmware. It's hard to be read
by human. This patch changed the error message to show the appropriate
string.
The message will be showed as:
[0.788529] MODSIGN: Couldn't get UEFI
This patch adds the logic for checking the kernel module's hash
base on blacklist. The hash must be generated by sha256 and enrolled
to dbx/mokx.
For example:
sha256sum sample.ko
mokutil --mokx --import-hash $HASH_RESULT
Whether the signature on ko file is stripped or not, the
That's better for checking the attributes of db and mok variables
before loading certificates to kernel keyring.
For db and dbx, both of them are authenticated variables. Which
means that they can only be modified by manufacturer's key. So
the kernel should checks
The mok can not be trusted when the secure boot is disabled. Which
means that the kernel embedded certificate is the only trusted key.
Due to db/dbx are authenticated variables, they needs manufacturer's
KEK for update. So db/dbx are secure when secureboot disabled.
Cc: David Howells
When getting certificates list from UEFI variable, the original error
message shows the state number from UEFI firmware. It's hard to be read
by human. This patch changed the error message to show the appropriate
string.
The message will be showed as:
[0.788529] MODSIGN: Couldn't get UEFI
This patch set is base on the efi-lock-down and keys-uefi branchs in
David Howells's linux-fs git tree.
https://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git/log/?h=keys-uefi
The main purpose is using the MOKx to blacklist kernel module.
As the MOK (Machine Owner Key), MOKx
On 13 March 2018 at 10:23, Thiebaud Weksteen wrote:
> On Tue, Mar 13, 2018 at 8:59 AM Ard Biesheuvel
> wrote:
>
>> On 13 March 2018 at 07:47, Hans de Goede wrote:
...
>> > Could the problem perhaps be that the new code for the
On Tue, Mar 13, 2018 at 8:59 AM Ard Biesheuvel
wrote:
> On 13 March 2018 at 07:47, Hans de Goede wrote:
> > Hi,
> >
> >
> > On 12-03-18 20:55, Thiebaud Weksteen wrote:
> >>
> ...
> >>
> >> Hans, you said you configured the tablet to use the 32-bit
Hi,
On 12-03-18 22:02, Ard Biesheuvel wrote:
On 12 March 2018 at 19:55, Thiebaud Weksteen wrote:
On Mon, Mar 12, 2018 at 7:33 PM Jeremy Cline wrote:
On 03/12/2018 02:29 PM, Thiebaud Weksteen wrote:
On Mon, Mar 12, 2018 at 6:30 PM Ard Biesheuvel <
On 13 March 2018 at 07:59, Ard Biesheuvel wrote:
> On 13 March 2018 at 07:47, Hans de Goede wrote:
>> Hi,
>>
>>
>> On 12-03-18 20:55, Thiebaud Weksteen wrote:
>>>
> ...
>>>
>>> Hans, you said you configured the tablet to use the 32-bit version of
On 13 March 2018 at 07:47, Hans de Goede wrote:
> Hi,
>
>
> On 12-03-18 20:55, Thiebaud Weksteen wrote:
>>
...
>>
>> Hans, you said you configured the tablet to use the 32-bit version of grub
>> instead
>> of 64. Why's that?
>
>
> Because this tablet, like (almost?) all Bay
Hi,
On 12-03-18 20:55, Thiebaud Weksteen wrote:
On Mon, Mar 12, 2018 at 7:33 PM Jeremy Cline wrote:
On 03/12/2018 02:29 PM, Thiebaud Weksteen wrote:
On Mon, Mar 12, 2018 at 6:30 PM Ard Biesheuvel <
ard.biesheu...@linaro.org>
wrote:
On 12 March 2018 at 17:01, Jeremy
Good Day My Good Friend
Let me start by introducing myself I am Mr. John Mark from Burkina
Faso, I am writing you this letter based on latest development in my
bank which i we like to bring you in. The sum of Twelve Million Five
Hundred Thousand United State Dollars ($ 12.5Million) this is
On Mon, Mar 12, 2018 at 10:03 PM Ard Biesheuvel
wrote:
> On 12 March 2018 at 19:55, Thiebaud Weksteen wrote:
> > On Mon, Mar 12, 2018 at 7:33 PM Jeremy Cline wrote:
> >
> >> On 03/12/2018 02:29 PM, Thiebaud Weksteen wrote:
> >> >
26 matches
Mail list logo